mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
strongswan: Backport fix for CVE-2023-41913
Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.3.0-5.9.6_charon_tkm_dh_len.patch] Reference: https://www.strongswan.org/blog/2023/11/20/strongswan-vulnerability-(cve-2023-41913).html Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
fc632d5bb0
commit
474cea683e
@@ -0,0 +1,46 @@
|
|||||||
|
From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tobias Brunner <tobias@strongswan.org>
|
||||||
|
Date: Tue, 11 Jul 2023 12:12:25 +0200
|
||||||
|
Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer
|
||||||
|
overflow
|
||||||
|
|
||||||
|
Seems this was forgotten in the referenced commit and actually could lead
|
||||||
|
to a buffer overflow. Since charon-tkm is untrusted this isn't that
|
||||||
|
much of an issue but could at least be easily exploited for a DoS attack
|
||||||
|
as DH public values are set when handling IKE_SA_INIT requests.
|
||||||
|
|
||||||
|
Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends")
|
||||||
|
Fixes: CVE-2023-41913
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.3.0-5.9.6_charon_tkm_dh_len.patch]
|
||||||
|
CVE: CVE-2023-41913
|
||||||
|
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
||||||
|
---
|
||||||
|
src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
|
||||||
|
index 2b2d103d03e9..6999ad360d7e 100644
|
||||||
|
--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
|
||||||
|
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
|
||||||
|
@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool,
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
METHOD(diffie_hellman_t, set_other_public_value, bool,
|
||||||
|
private_tkm_diffie_hellman_t *this, chunk_t value)
|
||||||
|
{
|
||||||
|
dh_pubvalue_type othervalue;
|
||||||
|
+
|
||||||
|
+ if (!key_exchange_verify_pubkey(this->group, value) ||
|
||||||
|
+ value.len > sizeof(othervalue.data))
|
||||||
|
+ {
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
othervalue.size = value.len;
|
||||||
|
memcpy(&othervalue.data, value.ptr, value.len);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
@@ -15,6 +15,7 @@ SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
|
|||||||
file://CVE-2021-41991.patch \
|
file://CVE-2021-41991.patch \
|
||||||
file://CVE-2021-45079.patch \
|
file://CVE-2021-45079.patch \
|
||||||
file://CVE-2022-40617.patch \
|
file://CVE-2022-40617.patch \
|
||||||
|
file://CVE-2023-41913.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29"
|
SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29"
|
||||||
|
|||||||
Reference in New Issue
Block a user